Opened 2 months ago

Last modified 2 months ago

#1245 new Bug / Defect

segfault error 14 in liblber-2.4.so.2.10.8

Reported by: ctodd@… Owned by:
Priority: major Milestone: release 2.4.8
Component: Generic / unclassified Version: OpenVPN 2.4.8 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: segfault liblber
Cc: bmccord@…

Description

Ubuntu 18.04.3 running OpenVPN 2.4.8. Server uses LDAP for authentication and periodically (about once every few days) stops authenticating users. Leading up to this issue, we sometimes see users attempt to authenticate with invalid credentials. In the logs we see the following variations of errors :

Dec 18 13:21:31 sfo-openvpn1 openvpn[77827]: pam_ldap: error trying to bind as user "cn=someuser,ou=people,dc=somedomain,dc=com" (Invalid credentials)

Dec 18 13:21:33 kernel: [3326305.784762] openvpn[44256]: segfault at 7f0bbeba6fc7 ip 00007f0bbeba6fc7 sp 00007f0bb4d82dc0 error 14 in liblber-2.4.so.2.10.8[7f0bbf1fe000+d000]

Dec 19 00:02:03 openvpn[124002]: pam_ldap: error trying to bind as user "cn=someuser,ou=people,dc=somedomain,dc=com" (Invalid credentials)

Dec 19 00:02:12 kernel: [3364744.281920] openvpn[124253]: segfault at 7f570ed8ffc7 ip 00007f570ed8ffc7 sp 00007f570539ddc0 error 14 in libcap-ng.so.0.0.0[7f570fc5d000+4000]

We have upgraded all system libraries and recompiled the latest available version of OpenVPN. It should be noted that we use the Viscosity client with Yubikeys, and thus have server side tokens enabled.

Chris

Change History (1)

comment:1 Changed 2 months ago by Gert Döring

Are you using plugin-auth-pam to authenticate or the LDAP plugin (https://packages.debian.org/jessie/openvpn-auth-ldap) directly?

This smells like a bug in the ldap glue libraries, passing invalid data to the LDAP libraries in case "something invalid" is passed (too-long password?).

Note: See TracTickets for help on using tickets.